Content deleted Content added
m grammar |
m →top |
||
Line 5:
Many [[web application framework]]s offer an [[active record pattern|active record]] feature, where database record fields can be modified by automatically generated web API methods. If the framework doesn't prevent that automatically and the application designer doesn't mark specific fields as immutable this way, it's possible to abuse the API call and modify these hidden fields.<ref>{{cite web | url=http://cwe.mitre.org/data/definitions/915.html | title=CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes | publisher=NIST | work=Common Weakness Enumeration | accessdate=February 27, 2013}}</ref>
These vulnerabilities were found in applications written in [[Ruby on Rails]],<ref>{{cite web | url=http://guides.rubyonrails.org/security.html#mass-assignment | title=Mass Assignment | work=Ruby On Rails Security Guide | accessdate=February 27, 2013}}</ref> [[ASP.NET MVC
In 2012 mass assignment on Ruby on Rails was published that allowed injection of unauthorized [[Secure Shell|SSH]] public keys into user accounts at [[GitHub]].<ref>{{cite web | url=http://www.zdnet.com/github-suspends-member-over-mass-assignment-hack-4010025556/ | title=GitHub suspends member over 'mass-assignment' hack | publisher=ZDnet | year=2012 | accessdate=February 27, 2013}}</ref>
| |||